Filtering Controls

While you will most commonly want to run all the controls in a benchmark, there are times when you want to only run single control, or filter the controls to run in a benchmark.

Filtering by Control Tags

You can filter controls by the control tags. For example, to run the controls in the cis_v150 benchmark that have tags cis_level=1 and benchmark=cis:

powerpipe benchmark run cis_v150 --tag cis_level=1 --tag cis=true

This filter works with all as well:

powerpipe benchmark run all --tag cis_level=1 --tag cis=true

Filtering with --where

You can also filter the controls to run using a where clause on the properties of the benchmark.

powerpipe benchmark run all --where "severity in ('critical', 'high')"

You can preview which controls will run with the --dry-run flag:

powerpipe benchmark run cis_v150 --where "severity in ('critical', 'high')" --dry-run

Running specific controls

You can run a single control at a time with the powerpipe control command.

You can list the controls:

powerpipe control list

And run them by name, similar to benchmarks:

powerpipe control run my_control

Unlike benchmarks, some controls may define parameters. You can pass values for them using one or more --arg arguments:

powerpipe control run my_control_with_params --arg my_simple_arg='this is a string' --arg my_list_arg='["item 1","item 2"]'

If the parameters are unnamed, you can pass values for them without specifying a name. The args will be passed to the query in order - the first --arg as $1, the second as $2, etc.:

powerpipe control run my_control_with_params --arg 'this is a string' --arg '["item 1","item 2"]'